Recently, one of my clients asked me: “Is there a way we can classify and protect our files in Microsoft 365 so that sensitive documents don’t get shared accidentally?”
They want a solution that enables users to collaborate and share files while maintaining the right level of security, such as encryption, watermarks, or access restrictions, depending on the type of content.
After exploring Microsoft 365’s security features, I found that Sensitivity Labels are the perfect answer. They allow you to classify data as Public, Internal, or Confidential, and even enforce protection policies that travel with the document or email, no matter where it goes.
In this tutorial, I’ll walk you through:
- What a Sensitivity Label is in Microsoft 365
- How to create a Sensitivity Label step by step using the Purview portal
Sensitivity Label is in Microsoft 365
A sensitivity label is like a security tag for your data in Microsoft 365. Just as you might stick a “Private” or “Top Secret” note on a physical file folder, a sensitivity label is a digital tag that helps you classify and protect your files, emails, and even collaboration spaces, such as Microsoft Teams or SharePoint sites.
However, these labels extend far beyond mere classification; they can also serve as a means of protection. Depending on how you configure them, a sensitivity label can:
- Encrypt content so that only authorized individuals can access it.
- Add watermarks, headers, or footers to remind users that the content is sensitive.
- Restrict actions like copying, printing, or forwarding emails.
- Control access in Teams, SharePoint, and OneDrive by limiting sharing to specific people or groups.
The best part of sensitivity labels is that the protection travels with the content. So even if a file is downloaded, emailed, or stored on another device, the same rules still apply.
Real-Life Examples
- Confidential Client Proposal: A sales manager creates a proposal for a high-value client. By applying a Confidential label, only employees from the Sales and Legal teams can access the file, and the document is stamped with a watermark that says “Confidential.”
- Internal HR Emails: The HR department sends out salary review letters. These emails are labeled Highly Confidential, which automatically encrypts the message, ensuring that only the intended recipient can read it and preventing the email from being forwarded.
- Public Marketing Material: A marketing team creates a product brochure that needs to be shared widely. They apply the Public label, which ensures there are no restrictions, so it can be freely shared with external users.
- Read-Only Research Document: Your organization wants to share a research report with a wide group of employees, but doesn’t want them to edit, copy, or print it.
Create a Sensitivity Label in Microsoft 365
Now that we know what sensitivity labels are and how they can be used in real scenarios, let’s see the steps actually to create one in Microsoft 365. For this, we’ll use the Microsoft Purview portal.
- Go to the Purview Portal, navigate to the left-hand menu, and select Solutions -> Information Protection.
- Then click the Sensitivity labels, and it will show a list of labels that already exist in your organization.
- If your organization has previously created labels, they will be displayed here.
- If no labels have been created yet, the page will appear blank.
- To create a new label, click + Create a label.
- When you click + Create a label, the wizard opens, where you can configure the details of your sensitivity label. On the Label details screen, you’ll need to fill in the following fields:
- Name: Enter a friendly name for the label (e.g., Confidential, Internal Only, Public). This is the internal name used across Microsoft 365.
- Display name: This is the name your users will see in apps when they apply the label. Make it simple and clear.
- Label priority: Determines which label takes precedence if multiple labels could apply. By default, the label you’re creating is set to the highest priority, but you can change this later.
- Description for users: A short explanation that appears to users when they apply the label, helping them understand its purpose. Example: “Use this label for documents containing sensitive financial data.”
- Description for admins: A note for administrators explaining the label’s use case or any internal details about how it should be applied.
- Label color: Choose a color to visually distinguish this label in the user interface.
- Once you’ve filled out these details, click Next to move on to the Scope settings.
- In this step, you choose where the sensitivity label can be applied. Labels in Microsoft 365 aren’t just for files; they can also protect emails, meetings, and even collaboration spaces like Teams and SharePoint sites.
- Files & other data assets: Apply the label to files stored in Microsoft 365 apps (Word, Excel, PowerPoint), Microsoft Fabric (like Power BI), and even Microsoft Azure.
- Emails: Protect email messages across all versions of Outlook.
- Meetings: Secure Teams and Outlook meeting invitations, as well as calendar events.
- Groups & sites: Control privacy, access, and settings for Microsoft Teams, Microsoft 365 Groups, SharePoint sites, and Loop workspaces.
- Since I only want this label to protect files and documents, I selected Files & other data assets. Then click Next.
- In this step, you decide what protection settings the sensitivity label should apply to files. You’ll see three options:
- Control access: Restrict who can open, view, or edit labeled items. You can configure detailed permissions like “Only specific users or groups can read this document,” or make it read-only.
- Apply content marking: Add a visual reminder to documents, such as headers, footers, or watermarks. Example: automatically stamping “Confidential” on every page of a file.
- Protect Teams meetings and chats: (Requires Teams Premium) Configure protection for Teams chats and meeting content.
- Since in our case we are applying the label only for files, you can choose:
- Control access if you want to encrypt files or restrict them to certain people.
- Apply content marking if you want to add headers, footers, or watermarks.
- Since we selected ‘Control access’ in the previous step, on this screen, you can decide who can access and what they can do with the labeled files.
- Assign permissions now or let users decide:
- Assign permissions now: Now we need to define the access rules for this label.
- Let users assign permissions: Users decide permissions when they apply the label to a file.
- User access to content expires:
- You can set content to expire after several days (useful for time-bound projects).
- Example: HR files are only accessible for 30 days.
- Allow offline access
- Choose if users can open the file when they’re not connected to the internet.
- Options: Always, Never, or Based on the number of days.
- Assign permissions to specific users and groups:
- Here, you define who can access the labeled files and what rights they have.
- Example:
- Only HR Team = View only (no download/print)
- Managers = Edit access
- Additional options:
- Use dynamic watermarking: Automatically adds the user’s email or timestamp as a watermark when viewing files. Great for preventing leaks.
- Use Double Key Encryption: For highly sensitive data that requires an additional key (common in regulated industries).
- Assign permissions now or let users decide:
- In your case, since I want users only to view (no download, no print) & only the internal people can see the document:
- Assign permissions -> Add all users and groups in your organization.
- Permissions -> Viewer.
- After clicking the next, Content marking helps users visually identify the sensitivity of a document. You can add:
- Watermark
- Appears diagonally or in the background of the document.
- Example: “Internal – Do Not Share”
- Header
- Text that appears at the top of the document.
- Example: “Internal Use Only”
- Footer
- Text that appears at the bottom of the document.
- Example: “Classified Information”
- Watermark
- Next screen: Auto-labeling automatically applies your sensitivity label (such as Internal) when specific conditions are met in files or emails.
- For example:
- If a file contains sensitive info (e.g., Employee ID, Salary Data, Credit Card Numbers).
- If an email has specific keywords (like “Confidential” or “Internal use only”).
- For example:
- In my case, I don’t need auto-labeling, so keep it disabled.
- Then, we need to define protection settings for groups and sites. In my case, I do not want to add any, so I click next.
- This is the final step, where we review our settings and complete the process. Finally, click Create label.
This way, you can create the Sensitivity labels in Microsoft 365.
In this Microsoft 365 tutorial, we learned what a sensitivity label is and how to create one step by step using the Microsoft Purview portal.
Additionally, you may find the following interesting tutorials:
- Publish Sensitivity Labels in Microsoft 365
- Enable Sensitivity Labels On PDF Using PowerShell
- Add Synonyms to SharePoint Term Store Metadata Terms
- Create SPFx Dynamic Accordion Webpart Using PnP Controls React
- Create a Choice Column With Fill-in Options in SharePoint Document Library
Hey! I’m Bijay Kumar, founder of SPGuides.com and a Microsoft Business Applications MVP (Power Automate, Power Apps). I launched this site in 2020 because I truly enjoy working with SharePoint, Power Platform, and SharePoint Framework (SPFx), and wanted to share that passion through step-by-step tutorials, guides, and training videos. My mission is to help you learn these technologies so you can utilize SharePoint, enhance productivity, and potentially build business solutions along the way.
